Tracking MS08-067 Worm Gimmiv

On October 23, 2008, Microsoft released an out-of-cycle emergency patch for a flaw in the Windows RPC code. The reason for this unusual occurance was the discovery of a “zero-day” exploit being used in the wild by a worm (or trojan, depending on how you look at it). The announcement of a new remote exploit for unpatched Windows systems always raises tension levels among network administrators. The fact that this one was already being used by a worm evoked flashbacks of Blaster and Sasser and other previous threats that severely impacted the networked world.

But, unlike these past worms, Gimmiv turned out to have infected scarcely any networks at all. One reason for this is that the scanning done by Gimmiv looking for vulnerable hosts is limited to the local subnet, meaning it can only jump networks if an infected computer is moved from one network to another. Even if this were not the case, by default Windows XP SP2 (and above) restricts connections to the RPC ports to the local subnet only. So although future trojans and worms might utilize the same exploit, the window of opportunity for a globally impacting worm using this vector has passed for the most part.

Because of some mistakes made by the author(s) of Gimmiv, third parties were able to download the logfiles of the Gimmiv control server. Although most of the data in the logs is AES-encrypted, we were able to find the key hardcoded in the Gimmiv binary and decrypt the data.